How much reliance do we place on the American electric grid? With the recent events still unfolding in North Carolina, the severity of the attack is still unknown. While the immediate impact of the damaged substations is obvious, especially to those living in Moore County, one can’t help but think, how do we protect the grid from similar events?


If you aren’t aware, the United States power grid is one of the most vulnerable infrastructures we have, and it also is one of the most important. Time and time again, analysis has been done on the dangers that face this grid system. 


Unfortunately, a clear and comprehensive solution has yet to be produced. With the existing grid infrastructure being roughly 40 years old, the equipment is becoming overworked and short on lifespan. The threats that face the gird system have been well documented, some of them being debated at the congressional level. With the U.S. moving to more sustainable energy coupled with population growth, the strain on the grid makes it harder for the system to keep up. However, from a security standpoint, mitigating the risk associated with physical threats is a more achievable goal. The more controllable threats to mitigate are physical attacks like the ones in North Carolina, for example.


The attacks in North Carolina are not the first. In April 2013, the Metcalf substation just south of San Jose, California was heavily damaged by gunfire. The attack damaged 17 Pacific Gas & Electric (PG&E) transformers. After a lengthy investigation involving the Department of Homeland Security and the Federal Energy Regulatory Commission (FERC), the suspects were never identified. In more recent events after the attacks in Moore County, Portland General Electric (PGE) reported that they have been experiencing attacks throughout the Oregon and Washington state areas on an increasing occurrence.


With the latest attack in November, PGE has given little information other than that these attacks often involve tools, arson, and firearms. So how do we protect these substations from physical security threats today? 


The FERC is a federal agency responsible for the transmission and wholesale of all electricity and natural gas for interstate commerce. In 2014 a leaked report indicated that the U.S. had over 55,000 transformers nationwide; however, an attack on only nine could cripple the power grid across the country. At the time, former chairman of the FERC Jon Wellinghoff stated that damage to nine specific substations could cause the U.S. to lose power for up to 18 months. The attacks on the San Jose, California substations revealed to officials that a physical attack was becoming a real threat.  


In 2013 after the attack, the FERC fortified the location by building a perimeter wall and lining it with sandbags to protect the more vulnerable parts. Like the substations in NC, substations are often in rural areas, surrounded by a chain-link fence providing minimal protection. Although these measure act as a deterrent, Mr. Wellinghoff suggested that all substations review their security plans and take the necessary steps to provide protection.  


From a security professional standpoint, one might wonder why we don’t install security monitoring systems. We are on the verge of 2023, with technology being the most advanced it has ever been and the ability to monitor a location with sophisticated intrusion detection systems and video surveillance capabilities, it would seem foolish not to invest in widely accepted technologies. So why not leverage advanced technologies to protect our more valuable assets? The answer often comes down to connectivity and funds. As previously stated, most of the substations are located in rural America and don’t have the connectivity that’s required by these monitoring systems. 


A simple stand-alone LTE mesh network is a great solution for remote areas. The technology is growing in popularity and cost-effective based on the criticality of this infrastructure to society. The approach from the federal government and the FERC should be to analyze all stations to determine their criticality levels and the need for additional technological implementations.  


Like every security plan, the foundational element should be a Threat, Vulnerability, and Risk Assessment (TVRA). A TVRA is designed to provide risk mitigation options starting with no/low cost through capital investment. Is this feasible to accomplish at all 55,000 locations, possibly?


To do this, the FERC and the U.S. Government should create a prioritized list of stations that require immediate attention and then work collaboratively with private ownership to set a realistic deadline for upgrading security systems at the stations. This operation could be very similar to the water treatment guidelines several years ago that mandated TVRAs for all water facilities in the U.S.


Following this template will allow them to identify each station, how many people it serves, at what capacity it’s running, the age of the equipment, and the likelihood of an issue based on local historical data. Then, with that data, they should compare those stations to their neighboring ones to determine the strain and outage would cause if one went down. After identifying these priority locations, a systematic approach to implementing security should be taken.  


Securing our power grid and its substations is no easy task. The ability to increase connectivity in remote locations exists, and adding electronic and physical measures will safeguard our infrastructure. However, since these are private corporations, it comes at a cost, but it should be a shared cost between the U.S., private entities, and the consumer. 


The energy companies are more than willing to increase security capability and build in a forensic data capability, but it will take teamwork. In the end, we have limited options for what is certainly a critical aspect of modern society. As with most high-profile crimes, there are often copycat individuals, and one could easily assume that with the publicity Moore County is receiving it is only a matter of time before the next target is attacked.